Post navigation

Could iPhone’s fingerprint sensor help kill off passwords?

It’s a barely noticeable stainless steel ring, embedded in the new iPhone’s home button.

But the fingerprint sensor built into Apple’s latest smartphone, which was unveiled on Tuesday, could signify the beginning of the end for the pesky password.

The Touch ID feature will allow users to access their phones with a press of the finger, without the need to remember complex sequences of letters or numbers.

Biometric technology, which uses the body’s unique features as an identification technique, has been around for a while.

Scotland Yard used fingerprints as early as 1901, and Sir Arthur Conan Doyle knew enough about the distinctive features of the human ear to work it into one of his Sherlock Holmes stories.

Yet passwords have prevailed.

It’s not that fingerprint sensors don’t already exist; they are widely used on PCs in the business sector. But experiments with older smartphones, such as the Motorola Atrix 4G, were plagued with problems and soon abandoned.

So is this latest development just another gimmick, or a sign of things to come?

Pivotal moment

Gummi bears proved a sticky problem after cryptographers used them to replicate fingerprints

Mark Lockie, managing editor of news site Planet Biometrics, thinks it is the latter.

“The industry has been waiting for a moment like this,” he told the BBC.

Apple’s intention to embrace biometric technology was made clear in July 2012, when it bought mobile security company Authentec, which developed fingerprint sensor chips, for $356m (£226m).

The investment caused shares in other biometric firms to rise on the back of speculation that they too might become takeover targets.

‘No panacea’

“We’re all essentially walking passwords,” explains Prof Mark Nixon of the University of Southampton.

He works on cybersecurity systems which recognise unique human characteristics such as facial features and gait patterns.

But, he warns, despite biometrics offering a more convenient way of securing our devices, it is “no panacea”, and there are pitfalls.

Companies looking to adopt fingerprint security have had to worry about the possibility of the tech failing to recognise an owner and locking them out.

That, says Mr Lockie, is the “absolute worst case scenario”.

“People would dump the thing within two weeks.”

Taking precautions

Shrivelled fingers, cold weather or even a paper cut could all cause a fingerprint reader to struggle to recognise the right person.

Apple is hoping to avoid that by scanning “sub-epidermal skin layers” at a very detailed level, in other words beyond the mere surface of a finger.

But the technology could still face other problems.

“Fingerprint readers are undoubtedly not particularly secure,” says Dr Andrew Martin, from the University of Oxford’s department of computer science.

Indeed, cryptographers have previously found success in “spoofing” fingerprints using the gelatine found in Gummi Bears, and we leave fingerprints wherever we go – an easy target for anyone trying to fake them.

There are also privacy concerns.

Biometric data is usually encrypted and stored on a device’s local processor, but this method is by no means foolproof, especially if the data is being used to carry out online transactions.

And after the leaks by whistle-blower Edward Snowden highlighted how the NSA and GCHQ government agencies monitor our online activity, many will be wary of having information about their body stored in digital form.

Forging ahead

Despite its drawbacks, however, technology companies around the world are teaming up to make biometric security the standard system for online purchases.

The Fido (fast identity online) Alliance – which includes Blackberry, Google and Paypal – exists to “reduce the reliance on passwords to authenticate users”.

Bionym’s wristbands measure the rhythm of a human pulse, which is unique to each person.

It advocates a recognised, easy-to-use system for using biometrics in online purchases, logins and even to verify a big decision such as “delete all my emails”.

And biometric systems’ ease may outweigh the potential security risks – at least for the average user.

“What you really have to do is look at the bigger picture and ask who it is you are protecting against,” says Dr Martin.

“No one would argue that these biometrics are terribly secure, but they are convenient to use and avoid problems like being overlooked while typing your password.”

Beyond fingers

So what comes next?

One possibility is “multi-modal biometrics”, a system which uses a few different techniques in tandem, such as an iris reader, voice recognition and fingerprint technology – adding an extra layer of security.

Some of Google’s Android devices are loaded with a facial recognition system, which has been generally successful in easing the process of logging in, although it can be fooled if the handsets or tablets are pointed at a photo or video clip of the owner.

Another recent experiment, by technology company Bionym, uses a wristband to measure the rhythm of your pulse, which it says is unique to each person.

Fourth identifier

And there may be even more coming.

Cybersecurity systems tend to be based on three identifiers: something you know, like your mother’s maiden name; something you have, like an access code or token; and something you are, like your fingerprint.

GPS-enabled smartphones enable you to add yet another dimension: “somewhere you are”.

A smartphone could potentially block a log-in from a phone that is suddenly several miles away from its usual location, particularly useful in the case of a theft.

Overall, however, the evolution of biometric technology is still a gradual process.

But Mark Lockie is optimistic.

“In mobile world where infrastructure is more developed, there is a high chance that biometrics will eventually replace passwords,” he predicts.

For now, though, it still pays to remember the name of your first pet.